Phishing for clicks in social cliques: shockingly easy

A study on students' susceptibility to phishing reveals that victims can be …

Back in April, news spread about a study of the effectiveness of phishing attacks, run by researchers at Indiana University. The study prompted a bit of an uproar, as many questioned the ethics of the researchers involved in a study where the basic design involved deceiving students who were included in the experimental population without their knowledge. A preprint of the results is now available (PDF), and it paints a pretty clear picture of both the risks and ethical issues involved.

The study was designed to determine whether Internet users were more susceptible to a phishing attack if it came from someone who appeared to be familiar. To generate a database of relationships, the authors used a publicly-available Perl module to crawl social networking sites, including Friendster, MySpace, Facebook, Orkut, and LinkedIn. They selected Indiana students from this database and picked a target population based on the quality of the personal information that was obtained.

Test subjects received an e-mail with headers spoofed so that it appeared to originate from a member of the subject's social network. The message body was comprised of the phrase "hey, check this out!" along with a link to a site ostensibly at Indiana University. The link, however, would direct browsers to www.whuffo.com, where they were asked to enter their Indiana username and password. Control subjects were sent the same message originating from a fictitious individual at the university.

The results were striking: apparently, if the friends of a typical college student are jumping off a cliff, the student would too. Even though the spoofed link directed browsers to an unfamiliar .com address, having it sent by a familiar name sent the success rate up from 16 percent in controls to over 70 percent in the experimental group. The response was quick, with the majority of successful phishes coming within the first 12 hours. Victims were also persistent; all responses received a busy server message, but many individuals continued to visit and supply credentials for hours (one individual made 80 attempts).

Females were about 10 percent more likely to be victims in the study, but male students were suckers for their female friends, being 15 percent more likely to respond to phishes from women than men. Education majors had the smallest disparity between experimental and control members, but that's in part because those majors fell for the control phish half the time. Science majors had the largest disparity—there were no control victims, but the phish had an 80 percent success rate in the experimental group.

The authors were relieved to find that technology majors had the lowest percentage of victims in both cases. Lest they feel too smug, however, it's worth noting that the experimenters had to discard a second phishing experiment because they mis-coded their own bulk mailing script.

The paper discusses the ethical aspects of the work in detail, noting that it went through institutional review, and the researchers specifically obtained a waiver to the regulations that normally require the consent of experimental subjects. Everything appears to be done by the books, although the researchers recognize that they may have unnecessarily contributed to the stress students felt as finals approached.

There are some potentially valid ethical complaints about the results themselves, however, as the authors are essentially providing advice for phishers without suggesting any effective countermeasures. The study triggered a campus-wide antiphishing campaign at Indiana, but no data is available yet regarding its effectiveness, and it was clearly not helpful for students elsewhere. The authors discuss a number of possible technical countermeasures, but they recognize that most would be of limited utility. That said, this is hardly the first study to point out vulnerabilities; the authors reference earlier work that revealed that most West Point students would reveal password information in response to anyone claiming to be a colonel.

The authors set up a discussion forum for study participants to provide additional feedback. Despite the strain of being invaded by "the Slashdot crowd," the forum revealed a complex response to being a phishing victim that reads a bit like the five stages of grief, with extra emphasis on anger and denial. But the response also highlighted the lack of knowledge on two key features of phishing: the ease with which mail can be spoofed and the danger of providing personal information to any site that will allow it to be publicly accessed. Highlighting those risks to populations beyond Indiana students might go a long way towards improving Internet security.